Cross site scripting (XSS) remains one of the most prevalent web application vulnerabilities today, and is a leading cause of data breaches. One of the most promising solutions to combat XSS is the W3C standard: Content Security Policy (CSP). Content Security Policy requires that the web application be written with certain constraints: namely that all script (code) components of the application be in separate files from the HTML (presentation) components, and that the Content Security Policy HTTP Header is used to ascertain to the browser where the code components can be located. Using this mechanism, even if an attacker were able to successfully inject into a web application, the injected code would not run as it would not have been specified in the CSP header (i.e. it did not come from the server).
The vast majority of applications today are not written with this separation of code and presentation, and as such are incapable of using the CSP Header.
Some technologies for defending against XSS attacks are disclosed in U.S. Pat. No. 8,752,183 (Systems and methods for client-side vulnerability scanning and detection), U.S. Pat. No. 8,615,804 (Complementary character encoding for preventing input injection in web applications), U.S. Pat. No. 8,578,482 (Cross Site Script Detection and Prevention), U.S. Pat. No. 7,343,626 (Automated detection of cross site scripting vulnerabilities), U.S. Pat. No. 8,448,241 (Browser extension for checking website susceptibility to cross site scripting) and U.S. Pat. No. 8,112,799 (Method, system, and computer program product for avoiding cross-site scripting attacks).
These prior-art technologies, however, do not address the problem of vulnerabilities created by improperly written web applications.